user nginx;
worker_processes 1;
pid /var/run/nginx.pid;

events {
    worker_connections 1024;
}

http {
    include       mime.types;
    default_type  application/octet-stream;

    sendfile           on;
    tcp_nopush         on;
    tcp_nodelay        on;
    keepalive_timeout  65;
    server_tokens      off;
    access_log         off;
    error_log          /dev/stderr;
    
    fastcgi_buffers 16 16k;                                                                                                                                       
    fastcgi_buffer_size 32k;
    
    server {
        listen                    80;
        listen                    443 ssl http2;
        server_name               localhost;
        index                     index.php;
        root                      /var/www/app;
        client_max_body_size      32M;

        # https://ssl-config.mozilla.org/#server=nginx&version=1.18.0&config=intermediate&openssl=1.1.1i&hsts=false&ocsp=false&guideline=5.6
        ssl_certificate           /etc/nginx/ssl/kanboard.crt;
        ssl_certificate_key       /etc/nginx/ssl/kanboard.key;
        ssl_protocols             TLSv1.2 TLSv1.3;
        ssl_ciphers               ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers off;
        ssl_session_timeout       1d;
        ssl_session_cache         shared:MozSSL:10m;
        ssl_session_tickets       off;

        location / {
            try_files $uri $uri/ /index.php$is_args$args;
        }

        location ~ \.php$ {
            try_files $uri =404;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass unix:/var/run/php-fpm.sock;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_index index.php;
            include fastcgi_params;
            fastcgi_param SERVER_NAME $host;
        }

        location ~ /data {
            return 404;
        }

        location ~* ^.+\.(log|sqlite)$ {
            return 404;
        }

        location ~ /\.ht {
            return 404;
        }

        location ~* ^.+\.(ico|jpg|gif|png|css|js|svg|eot|ttf|woff|woff2|otf)$ {
            log_not_found off;
            expires 7d;
            etag on;
        }

        gzip on;
        gzip_comp_level 3;
        gzip_disable "msie6";
        gzip_vary on;
        gzip_types
            text/javascript
            application/javascript
            application/json
            text/xml
            application/xml
            application/rss+xml
            text/css
            text/plain;
    }
}
